Home / Vulnerability Intelligence / CVE-2026-26022

CVE-2026-26022 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 6, 2026

Gogs - Stored XSS

Published: March 5, 2026Updated: March 6, 2026PoC AvailableRemote Exploitable

Overview

Gogs < 0.14.2 contains a stored XSS caused by allowing data: URI schemes in comment and issue description sanitizer, letting authenticated users execute arbitrary JavaScript, exploit requires user authentication.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 3.5%(Probability of exploitation in next 30 days)

Impact

Authenticated users can execute arbitrary JavaScript, potentially leading to session hijacking or user impersonation.

Mitigation

Upgrade to version 0.14.2 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 5, 2026

🟠 CVE-2026-26022 - High (8.7) Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI sche... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26022/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-26022
Severity: High
CVSS Score: 8.7
Type: stored_xss
Status: confirmed
EPSS: 3.5%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

3.5%Probability of exploitation in the next 30 days